DNS Security Starts with the DNS Server

DNS security starts with the DNS server
The DNS server is best equipped to deal with DNS threats since it is
where all the DNS intelligence resides. The following are four
capabilities that are necessary to protect the DNS. It is worth
investigating the capabilities of your DNS server to make certain all
of these defenses are available and enabled.

Defense No. 1: UDP source port randomization (UDP SPR) was specified
by key DNS vendors as the initial response to the Kaminsky attack.
Randomizing the UDP source port used in a query makes it harder for an
attacker to guess the query parameters in a fake answer. Although UDP
SPR is a useful defense, there is widespread concern that it is not an
adequate long-term response to cache poisoning.

In addition, Network Address Translation (NAT), firewalls, load
balancers and potentially other devices in the network may de-randomize
UDP source ports, thus rendering this protection less effective. For
these reasons, it is essential that other defenses are available and
enabled.
Defense No. 2: A secure mode of DNS operation when a potential
attack is detected is another useful defense. The DNS server should be
able to switch from a UDP to a TCP connection when mismatched query
parameters are observed (a sign an attack may be underway). This allows
an attacker only one chance to send a fake DNS answer for each fake DNS
question, which both slows the progress of an attack and significantly
reduces the probability of success (potentially by hundreds of times).
Defense No. 3: The single most important defense provides protection
when an attacker gets lucky and correctly guesses query parameters,
thus beating other defenses. This defense screens DNS query responses
and discards potentially harmful information in the response, such as
additional information that delegates DNS answers to a server that is
controlled by the attacker. This protects the DNS server in ways a
firewall, IPS or any other external device cannot.
Defense No. 4: The last defense to enable is alerting IT of unusual
DNS activity and providing specific details so remedial action can be
taken.

Sandy Wilbourn is the Vice President of Engineering at Nominum. Sandy is also the co-founder and former security blogger at Determina. He helped create and deliver a patch for the Kaminsky attack, which has now been deployed in networks that serve over 150 million households. He can be reached at sandy.wilbourn@nominum.com.